The present disclosure generally relates to whitelisting management in an access manager. In particular, the disclosure relates to an application that is configured to control access to resources, such as Oracle® Access Manager (OAM), that is capable of constructing a whitelist of redirection uniform resource locators (URLs).
An access manager, such an OAM, can provide access management for applications, data and web services. Further, an access manager can be used to provide centralized single sign-on and single sign-out for applications, servers, and data.
An access manager can provide a single sign-out in which an application can invoke a logout URL and a single sign-on (SSO) session can be terminated. As part of the sign-out, the application can also determine the web page that the user should be redirected to after the logout is performed. The web page that the user should be redirected to after the logout may be identified using a redirection URL. The application can append the redirection URL as a value of a parameter, such as “end URL,” to the logout URL. Once the access manager performs the logout, the user is redirected to this “end URL”. That is, the user can be redirected to a location pointed to by the end URL. However, there is a security concern with redirecting the user to an end URL when the authenticity of that URL has not been validated.
In some instances, an administrator of the access manager can manually maintain a list of end URLs that are approved for redirection after logging out of a single sign on session. That is, an administrator can manually maintain a list (referred to as a “whitelist”) of approved end URLs. Any changes or updates to this list have to be manually managed by the administrator. Also, the access manager administrator needs to be aware of an application's URL nuances or particular aspects of the URL. Therefore, this can be burdensome and can result in errors, such as, administrator errors. Further, the whitelist may not always be up-to-date and may be incomplete.